JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
search filter icon
search icon

Document Information


Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

Installation Overview

Installing Core

Configuring the Product

Preparing the Directory Server

Installing Connectors and Configuring Directory Server Plug-In

Synchronizing Existing Users

Configuration Overview


Synchronization Settings

Object Classes

Attributes and Attribute Mapping

Attribute Types

Parameterized Attribute Default Values

Mapping Attributes

Synchronization User Lists

Synchronizing Passwords With Active Directory

Enforcing Password Policies

Directory Server Password Policies

Active Directory Password Policies

Creating Accounts Without Passwords

Example Password Policies

Error Messages

Configuring Windows for SSL Operation

Installation and Configuration Decisions

Core Installation

Core Configuration

Connector Installation and Configuring the Directory Server Plug-In

Using the Command-Line Utilities

Installation Checklists

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments


Configuration Overview

After installing the product, you must configure the product deployment, which includes doing the following:

This section provides an overview of the following configuration element concepts:

Note - Some related configuration instructions appear in Chapter 4, Configuring Core Resources.


A directory represents the following:

You can configure any number of each directory type.

Synchronization Settings

You use synchronization settings to control the direction in which object creations, object deletions, passwords and other attribute modifications are propagated between Directory Server and Windows directories. Synchronization flow options are as follows:

Note - In a configuration that includes Active Directory and Windows NT, it is not possible to save a configuration that specifies different synchronization settings for creations or modifications between Windows NT and Directory Server, and between Active Directory and Directory Server.

Object Classes

When you configure resources, you will specify which entries to synchronize based on their object class. Object classes determine which attributes will be available to synchronize for both Directory Server and Active Directory.

Note - Object classes are not applicable for Windows NT.

Identity Synchronization for Windows supports two types of object classes:

For instructions on configuring object classes and attributes, see Chapter 4, Configuring Core Resources

Attributes and Attribute Mapping

Attributes hold descriptive information about a user entry. Every attribute has a label and one or more values, and follows a standard syntax for the type of information that can be stored as the attribute value.

You can define attributes from the Console. See Chapter 4, Configuring Core Resources.

Attribute Types

Identity Synchronization for Windows synchronizes significant and creation user attributes, as follows:

Note - Significant attributes are automatically synchronized as creation attributes but not the other way around. Creation attributes are only synchronized during user creations.

Parameterized Attribute Default Values

Identity Synchronization for Windows allows you to create parameterized default values for creation attributes using other creation or significant attributes.

To create a parameterized default attribute value, you embed an existing creation or significant attribute name, preceded and followed by percent symbols (%attribute_name%), in an expression string. For example, homedir=/home/%uid% or cn=%givenName%. %sn%.

When you create these attribute default values, follow these guidelines:

Mapping Attributes

After you define the attributes to synchronize, map the attribute names between the Directory Server and Active Directory/Windows NT systems to synchronize them to each other. For example, you must map the Sun inetorgperson attribute to the Active Directory user attribute.

You use attribute maps for both significant and creation attributes, and you must configure attribute maps for all “mandatory creation attributes” in each directory type.

Synchronization User Lists

You create Synchronization User Lists (SULs) to define specific users in both the Directory Server and Windows directories to be synchronized. These definitions enable synchronization of a flat Directory Information Tree (DIT) to a hierarchical directory tree.

The following concepts are used to define a Synchronization User List:

An SUL includes two definitions; where each definition identifies the group of users to be synchronized in the topology terms of the directory type.

When you are preparing to create SULs, ask yourself the following questions:

See Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows for detailed information about creating SULs.